September 2011 OLUG Meeting

The September 2011 OLUG Meeting will be on Tuesday, September 6th at 6:30 PM at the AIM Institute Training Lab/Careerlink.com Career Center, 1911 Harney Street in the Exchange Building.

Presentation: Linux EXT3 File Recovery Via Indirect Blocks by Hal Pomeranz

Hal is a Faculty Fellow of the SANS Institute, and it’s longest-tenured instructor. He is the track author and primary instructor for their Linux/Unix Security certification track (GCUX). He is also a GIAC Certified Forensic Analyst (GCFA) and an instructor in the SANS Computer Forensics curriculum. Hal frequently contributes to the SANS Computer Forensics blog and is a co-author with fellow SANS instructor Ed Skoudis and Tim Medin of the weekly on-line Command Line Kung Fu column.

The Meeting will be streamed live on the OLUG channel on Ustream.tv – http://www.ustream.tv/channel/Omaha-Linux-User-Group

Archived video can be found here: http://www.ustream.tv/user/olug/videos

Linux EXT3 File Recovery Via Indirect Blocks
============================================
The classic problem with recovering deleted data in modern Linux EXT
file systems is that when inode meta-data structures are deallocated,
the block pointer information in these structures is zeroed. This
makes direct reassembly of the original file extremely difficult.

File-carving techniques (foremost, scalpel, et al) can sometimes be
used when the target file has well-defined start and end signatures.
However, many common Linux file formats lack these signatures or have
no well-defined end of file marker—e.g., compressed or gzip data, tar
archives, and so on. Also, these file-carving techniques can run
afoul of meta-data information—indirect block pointers—embedded in the
block stream of larger files. When this meta-data information is
naively incorporated into the recovered data blocks, the usual result
is a corrupted and unreadable file. Traditional file-carving tools
simply “work around” (skip) indirect block data with varying degrees
of success. But simply skipping this indirect block metadata misses
out on a golden opportunity to easily recover most or all of the
original file.

The presentation will begin with an overview of EXT file systems and
the indirect block pointer mechanism. The limitations of existing
file carving tools will be demonstrated. Then we will use existing
and newly developed tools to detect indirect blocks to manually
recover file data from an actual file system.

Leave a Comment

You must be logged in to post a comment.

Olug Mailing list Members: 261
Things will be bright in P.M. A cop will shine a light in your face. You are using: ipv4.. Meh. - 18.220.242.160 ln04.olug.org
ipv6 ready